156 lines
4.7 KiB
YAML
156 lines
4.7 KiB
YAML
|
---
|
||
|
- name: Bootstrap remote ansible environment
|
||
|
hosts: all
|
||
|
tags:
|
||
|
- always
|
||
|
tasks:
|
||
|
- name: Install CentOS 8 python bindings
|
||
|
when: ansible_distribution == "Rocky"
|
||
|
become: true
|
||
|
ansible.builtin.dnf:
|
||
|
state: present
|
||
|
name:
|
||
|
- python3-libselinux
|
||
|
- python3-policycoreutils
|
||
|
- python3-firewall
|
||
|
|
||
|
- name: Create state directory
|
||
|
become: true
|
||
|
ansible.builtin.file:
|
||
|
path: "{{ skylab_state_dir }}"
|
||
|
state: directory
|
||
|
owner: "{{ ansible_user }}"
|
||
|
group: "{{ ansible_user }}"
|
||
|
mode: 0755
|
||
|
|
||
|
- name: Create bootstrap virtualenv
|
||
|
ansible.builtin.command:
|
||
|
cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages"
|
||
|
creates: "{{ skylab_ansible_venv }}/bin/python"
|
||
|
|
||
|
- name: Pin bootstrap virtualenv pip
|
||
|
ansible.builtin.pip:
|
||
|
executable: "{{ skylab_ansible_venv }}/bin/pip"
|
||
|
name: pip
|
||
|
state: present
|
||
|
version: "{{ skylab_pip_version }}"
|
||
|
|
||
|
- name: Copy requirements file to remote
|
||
|
ansible.builtin.copy:
|
||
|
src: remote-requirements.txt
|
||
|
dest: "{{ skylab_ansible_venv }}/requirements.txt"
|
||
|
owner: "{{ ansible_user }}"
|
||
|
group: "{{ ansible_user }}"
|
||
|
mode: 0644
|
||
|
|
||
|
- name: Install remote requirements
|
||
|
ansible.builtin.pip:
|
||
|
executable: "{{ skylab_ansible_venv }}/bin/pip"
|
||
|
requirements: "{{ skylab_ansible_venv }}/requirements.txt"
|
||
|
state: present
|
||
|
|
||
|
- name: Configure common server settings
|
||
|
hosts: all
|
||
|
tasks:
|
||
|
- name: Set hostname
|
||
|
become: true
|
||
|
ansible.builtin.hostname:
|
||
|
name: "{{ inventory_hostname }}"
|
||
|
use: systemd
|
||
|
|
||
|
- name: Install EPEL repository config
|
||
|
when: ansible_distribution == "Rocky"
|
||
|
become: true
|
||
|
ansible.builtin.yum_repository:
|
||
|
name: epel
|
||
|
description: Extra Packages for Enterprise Linux
|
||
|
baseurl: https://download.fedoraproject.org/pub/epel/$releasever{{ '/Everything' if ansible_distribution_major_version == '8' else '' }}/$basearch/
|
||
|
|
||
|
- name: Install EPEL GPG key
|
||
|
when: ansible_distribution == "Rocky"
|
||
|
become: true
|
||
|
ansible.builtin.rpm_key:
|
||
|
state: present
|
||
|
key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
|
||
|
|
||
|
- name: Disable sudo password for WHEEL group
|
||
|
when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
|
||
|
become: true
|
||
|
ansible.builtin.copy:
|
||
|
src: wheel-group-no-sudo-password
|
||
|
dest: /etc/sudoers.d/30-wheel
|
||
|
owner: root
|
||
|
group: "{{ ansible_user }}"
|
||
|
mode: 0644
|
||
|
|
||
|
- name: Install global bash config
|
||
|
become: true
|
||
|
ansible.builtin.copy:
|
||
|
src: global.sh
|
||
|
dest: /etc/profile.d/ZZ-skylab-global.sh
|
||
|
owner: root
|
||
|
group: "{{ ansible_user }}"
|
||
|
mode: 0644
|
||
|
|
||
|
- name: Configure SSH
|
||
|
hosts: all
|
||
|
handlers:
|
||
|
- name: restart-sshd
|
||
|
become: true
|
||
|
ansible.builtin.systemd:
|
||
|
name: sshd
|
||
|
state: restarted
|
||
|
tasks:
|
||
|
- name: Disable root auth
|
||
|
become: true
|
||
|
ansible.builtin.replace:
|
||
|
path: /etc/ssh/sshd_config
|
||
|
regexp: "^.*PermitRootLogin (yes|no).*$"
|
||
|
replace: "PermitRootLogin no"
|
||
|
notify: [restart-sshd]
|
||
|
|
||
|
- name: Disable password auth
|
||
|
become: true
|
||
|
ansible.builtin.replace:
|
||
|
path: /etc/ssh/sshd_config
|
||
|
regexp: "^.*PasswordAuthentication (yes|no).*$"
|
||
|
replace: "PasswordAuthentication no"
|
||
|
notify: [restart-sshd]
|
||
|
|
||
|
- name: Disable challenge response auth
|
||
|
become: true
|
||
|
ansible.builtin.replace:
|
||
|
path: /etc/ssh/sshd_config
|
||
|
regexp: "^.*ChallengeResponseAuthentication (yes|no).*$"
|
||
|
replace: "ChallengeResponseAuthentication no"
|
||
|
notify: [restart-sshd]
|
||
|
|
||
|
- name: Disable GSSAPI auth
|
||
|
become: true
|
||
|
ansible.builtin.replace:
|
||
|
path: /etc/ssh/sshd_config
|
||
|
regexp: "^.*GSSAPIAuthentication (yes|no).*$"
|
||
|
replace: "GSSAPIAuthentication no"
|
||
|
notify: [restart-sshd]
|
||
|
|
||
|
- name: Disable dynamic MOTD on debian systems
|
||
|
when: ansible_os_family == "Debian"
|
||
|
ansible.builtin.replace:
|
||
|
path: /etc/pam.d/sshd
|
||
|
regexp: "^session optional pam_motd.so motd=/run/motd.dynamic"
|
||
|
replace: "#session optional pam_motd.so motd=/run/motd.dynamic"
|
||
|
|
||
|
- name: Disable Cockpit activation message on Rocky
|
||
|
when: ansible_distribution == "Rocky"
|
||
|
become: true
|
||
|
ansible.builtin.file:
|
||
|
path: /etc/motd.d/cockpit
|
||
|
state: absent
|
||
|
|
||
|
- name: Copy MOTD to remote
|
||
|
become: true
|
||
|
ansible.builtin.template:
|
||
|
src: motd.j2
|
||
|
dest: /etc/motd
|
||
|
mode: 0644
|